CRITICAL
Rule Definition
OS command injection occurs when an application accepts untrusted input (forms, cookies, HTTP headers, special characters etc.) to build operating system commands or there is an insufficient sanitizing . Executed commands will run with the privileges of a vulnerable service.
An attacker can use OS command execution vulnerability to execute operating system commands without authentication. As for SAP, an attacker can access arbitrary files and directories located in an SAP server file system including application source code, configuration, and critical system files. The vulnerability allows obtaining critical technical and business-related information stored in a vulnerable system
Remediation
If you have to use system calls, use function modules like SXPG_CALL_SYSTEM or SXPG_COMMAND_EXECUTE instead.
Violation Code Sample
DATA:
BEGIN OF tabl OCCURS 0,
line(255),
END OF tabl.
CALL 'SYSTEM' ID 'COMMAND' FIELD command
ID 'TAB' FIELD tabl-line.
Reference
https://blogs.sap.com/2013/03/06/a-word-about-call-system/
https://erpscan.io/press-center/blog/sap-security-notes-november-2016/
Related Technologies
Technical Criterion
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.